Towards a Reconceptualisation of Cyber Risk: An Empirical and Ontological Study
This study addresses a conceptual gap in cyber risk understanding for cybersecurity professionals and researchers, providing the first quantitative evidence of this divergence, which is incremental in nature.
The paper tackles the inconsistency between theoretical definitions of cyber risk and its practical use by cybersecurity professionals, finding that practitioners and ontologies do not employ concepts like likelihood and impact, instead focusing on adversarial terms.
The prominence and use of the concept of cyber risk has been rising in recent years. This paper presents empirical investigations focused on two important and distinct groups within the broad community of cyber-defense professionals and researchers: (1) cyber practitioners and (2) developers of cyber ontologies. The key finding of this work is that the ways the concept of cyber risk is treated by practitioners of cybersecurity is largely inconsistent with definitions of cyber risk commonly offered in the literature. Contrary to commonly cited definitions of cyber risk, concepts such as the likelihood of an event and the extent of its impact are not used by cybersecurity practitioners. This is also the case for use of these concepts in the current generation of cybersecurity ontologies. Instead, terms and concepts reflective of the adversarial nature of cyber defense appear to take the most prominent roles. This research offers the first quantitative empirical evidence that rejection of traditional concepts of cyber risk by cybersecurity professionals is indeed observed in real-world practice.